How To Write The Jab P-Ato Vulnerability Scan Requirements Guide
|
|
- Norah Pierce
- 3 years ago
- Views:
Transcription
1 FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide Version 1.0 May 27, 2015 JAB P-ATO Vulnerability Scan Requirements Guide Page 1
2 Revision History Date Version Page(s) Description Author May 27, All Initial Version C. Andersen JAB P-ATO Vulnerability Scan Requirements Guide Page 2
3 Table of Contents About This Document... 4 Who Should Use This Document... 4 How To Contact Us Purpose Cloud Service Provider Requirements FedRAMP Activities Remediation... 7 Appendix A: Table of Acronyms... 8 JAB P-ATO Vulnerability Scan Requirements Guide Page 3
4 ABOUT THIS DOCUMENT WHO SHOULD USE THIS DOCUMENT This document is intended for the use by the following groups: Federal Risk and Authorization Management Program (FedRAMP) cloud service providers (CSPs), to ensure they provide vulnerability scans as required FedRAMP Information System Security Officers (ISSOs), to ensure the requirements are met and maintained Leveraging Agencies, to understand the scanning required by CSPs HOW TO CONTACT US For questions about FedRAMP or this document, to For more information about FedRAMP, visit the website at JAB P-ATO Vulnerability Scan Requirements Guide Page 4
5 1. PURPOSE This guide describes the requirements for all vulnerability scans of FedRAMP cloud service provider s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (P- ATOs). 2. CLOUD SERVICE PROVIDER REQUIREMENTS CSPs are required to perform vulnerability scanning of their information systems monthly (at a minimum). Each CSP is responsible for the delivery of the results of these vulnerability scans to their authorization official in a timely manner. These vulnerability scans are the cornerstone for the continuous monitoring of a CSP s risk posture, enabling authorizing officials to continue to authorize a CSP system for use. Each CSP must identify and use vulnerability assessment tools within their security control implementations approved by the JAB throughout the P-ATO process. These include: Operating system and network vulnerability scanners Database vulnerability scanners Web application vulnerability scanners FedRAMP security authorization requirements specify that initial vulnerability scans for the P- ATO shall be performed by a Third Party Assessment Organization (3PAO), to provide independent validation of the scan results. CSPs must use the same tools for continuous monitoring as were used by the 3PAO for the P-ATO process. In some circumstances, CSPs may request changes to these tools. However, continued use of the previous tools must continue until all identified vulnerabilities from the original tools have been mitigated. The length of overlap is dependent on the CSP correcting the remaining vulnerabilities. To ensure FedRAMP has all of the required information to perform the vulnerability analysis, the CSP shall submit the following information: Vulnerability scan data o Raw scan files (native scanner files usually some form of XML, CSV, or structured data format) o Exported summary reports (PDF, MS Word, or other readable documents). Summary reports should include Executive Summary, Detailed Summary, and Inventory Report. Actual reporting capabilities may vary by tool. Current and accurate system inventory. CSPs shall deliver a current system inventory identifying the components of the information system within the authorization boundary. The inventory must be complete and contain all boundary components. The system inventory must be delivered in a machine-readable format (XLS, CSV, XML). It is critical that the vulnerability scans and the provided system inventory is machine matchable (IP addresses, system names, or other unique identifier). Vulnerability scans and inventories that cannot be matched will be rejected by the PMO. JAB P-ATO Vulnerability Scan Requirements Guide Page 5
6 CSPs are also responsible for ensuring the highest quality vulnerability scans. Below is a list of requirements to ensure the quality of the scanning is acceptable for the FedRAMP program. Authenticated/credentialed Scans: Vulnerability scans must be performed using system credentials that allow full access to the systems. Scanners must have the ability to perform in-depth vulnerability scanning of all systems (where applicable). Systems scanned without credentials provide limited or no results of the risks. All unauthenticated scans will be rejected unless an exception has been previously granted due to applicability or technical considerations. Enable all Non-destructive Plug-ins: To ensure all vulnerabilities are discovered, the scanner must be configured to scan for all non-destructive findings. Any vulnerability scans where plug-ins were limited or excluded will be rejected. Exceptions may occur based on specific requests from the government for re-scans or targeted scans. These scans must comply with the directions provided by the government. Full System Boundary Scanning: Each scan must include all components within the system boundary. Reduced number of components or missing categories will result in rejected scans. In some cases, sampling is acceptable; however this sampling must be approved as a part of the initial Security Assessment Plan for P-ATO, and approved as a part of the Continuous Monitoring Plan at the time of P-ATO. Sampling must include a complete and comprehensive representative sample of the information system components. This includes scanning multiple components of the same category in addition to scanning all component categories. (Note: sample scanning is approved based on the ability to prove the component categories are identically configured. These categories must be maintained through configuration management and all components must be similarly configured. Discovery of mis-configured items may result in the revocation of sampling and require future scans to be comprehensive, including all system components). Scanner Signatures Up to Date: CSP must ensure that the vulnerability scanner used is up to date and includes the latest versions of the vulnerability signatures. Before scanning, each scanner must be updated to reflect the latest version of the scan engine as well as the signature files. Provide Summary of Scanning: Each scan submission must be accompanied by a summary of the scanning performed. The summary must include a listing of all the scan files submitted, which scanning tools were used, and a short summary of the purpose of the scan (e.g. monthly scans, re-scans, verification scans, etc.). In addition, the summary should discuss the configuration settings of the scanner, including if the signatures were limited for targeted, verification scans or if the scope of the scans excluded certain components or IP addresses. IP address ranges and/or a description of the targets are required. POA&M All Findings: Findings within the scans must all be addressed in a Plan of Action and Milestones (POA&M) or other risk acceptance requests and maintained until the vulnerabilities have been remediated and validated. Additional details on the JAB P-ATO Vulnerability Scan Requirements Guide Page 6
7 POA&M requirements can be found in the POA&M Template User Guide on FedRAMP.gov website. 3. FEDRAMP ACTIVITIES FedRAMP evaluates all vulnerability scanning submitted and provides a summary report to the JAB. In addition, agencies looking to leverage a CSP will also have access to the most recent risk posture information, including the continuous monitoring reports and POA&M. FedRAMP CSPs can be complex and ever-changing. It is critical that FedRAMP maintain a current posture of the system through the scanning and continuous monitoring documentation. To accomplish this, FedRAMP utilizes automated tools for the evaluation, analysis, and reporting of the risk posture. The system ISSO will review the reports and make additional modifications or additions to ensure an accurate risk posture is presented in the summary reports. 4. REMEDIATION Systems that fail to meet the quality or timeliness of the vulnerability scan submission requirements will be subject to actions. These actions may include one or more of the following: FedRAMP may require an immediate re-scan of the system. FedRAMP will clearly document the required adjustments necessary for the re-scan. FedRAMP may require a 3PAO to perform future scans for a period of time if the CSP is unable to meet the FedRAMP requirements. Continuous issues may result in FedRAMP requiring a Corrective Action Plan from a CSP as a part of maintaining a P-ATO and communicating with known agencies the deficiencies with meeting scanning requirements. The FedRAMP JAB can also revoke a P-ATO for failure to meet these requirements and remove the vendor from the FedRAMP website. FedRAMP reserves the right to take any of the actions listed above based on the severity of the deficiency. JAB P-ATO Vulnerability Scan Requirements Guide Page 7
8 APPENDIX A: TABLE OF ACRONYMS Acronym 3PAO CSP FedRAMP ISSO JAB P-ATO POA&M Meaning Third-Party Assessment Organization Cloud Service Provider Federal Risk and Authorization Management Program Information System Security Officer Joint Authorization Board Provisional Authority to Operate Plan of Action and Milestones JAB P-ATO Vulnerability Scan Requirements Guide Page 8
Overview. FedRAMP CONOPS
Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationFedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO
FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO www.fedramp.gov www.fedramp.gov 1 Today s Training Welcome to Part Four of the FedRAMP Training Series:
More informationFederal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP) NIST June 5, 2013 Matt Goodrich, JD FedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA What is FedRAMP? FedRAMP is a government-wide
More informationSecurity Authorization Process Guide
Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...
More informationDISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015
DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationFedRAMP Government Discussion Matt Goodrich, FedRAMP Director
FedRAMP Government Discussion Matt Goodrich, FedRAMP Director January 14, 2015 [classification marking] PAGE FedRAMP Overview Ensuring Secure Cloud Computing FedRAMP was established via OMB Memo in December
More informationContinuous Monitoring Strategy & Guide
Version 1.1 July 27, 2012 Executive Summary The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in time security authorization processes to Ongoing Assessment and Authorization
More informationVulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014
Vulnerability Scanning Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Vulnerability Scanning Requirements and Process Clarification Disposition... 3 2. Vulnerability
More informationNOTICE: This publication is available at: http://www.nws.noaa.gov/directives/.
Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE INSTRUCTION 60-703 23 April 2013 Information Technology IT Security VULNERABILITY
More informationRisk Management Framework (RMF): The Future of DoD Cyber Security is Here
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationManaged Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014
Managed Service Solutions Catalogue MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014 1 MANAGED SERVICES SOLUTIONS CATALOGUE Managed Services Solutions Catalogue Managed Service Solutions
More informationOffice of Inspector General
Audit Report OIG-15-003 INFORMATION TECHNOLOGY: Fiscal Service s Management of Cloud Computing Services Needs Improvement October 8, 2014 Office of Inspector General Department of the Treasury Contents
More informationQualys Scanning for PCI Devices University of Minnesota
Qualys is the vulnerability scanner that will be used to map and scan devices that are involved in credit card processing to meet the PCI-DSS quarterly internal scan and map requirement. This document
More informationSeeing Though the Clouds
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
More informationDoD Cloud Computing Security Requirements Guide (SRG) Overview
DoD Cloud Computing Security Requirements Guide (SRG) Overview 1 General SRG Information Released 12 January 2015 Version 1, release 1 Provides comprehensive security guidance for components (missions)
More informationG-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS
G-Cloud Pricing Atos infrastructure Vulnerability Scanning (Outpost24) SaaS Contents 1. Introduction... 1 2. Pricing... 2 2.1 External Network Scan... 2 2.2 PCI DSS Approved Scanner Vendor (ASV) Scan...
More informationGuide to Understanding FedRAMP. Guide to Understanding FedRAMP
Guide to Understanding FedRAMP Version 1.0 June 5, 2012 Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP s requirements. The primary purpose of
More informationREQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER
REQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER OCTOBER 18, 2013 1 Table of Contents I. EXECUTIVE OVERVIEW... 3 II. BACKGROUND... 3 A. Goals & Objective of Request... 3 B. Project Scope... 4
More informationFedRAMP Master Acronym List. Version 1.0
FedRAMP Master Acronym List Version 1.0 September 10, 2015 Revision History Date Version Page(s) Description Author Sept. 10, 2014 1.0 All Initial issue. FedRAMP PMO How to Contact Us For questions about
More informationCA Vulnerability Manager r8.3
PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL
More informationAHS Vulnerability Scanning Standard
AGENCY OF HUMAN SERVICES AHS Vulnerability Scanning Standard Jack Green 10/17/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements
More informationLumension Endpoint Management and Security Suite
Lumension Endpoint Management and Security Suite Patch and Remediation Module Evaluation Guide July 2012 Version 1.1 Copyright 2009, Lumension L.E.M.S.S:LPR - Table of Contents Introduction... 3 Module
More informationSecureGRC TM - Cloud based SaaS
- Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationWEB APPLICATION SECURITY TESTING GUIDELINES
WEB APPLICATION SECURITY TESTING GUIDELINES 1 These guidelines were developed to support the Web Application Security Standard. Please refer to this standard for additional information and/or clarification
More informationSTATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration
STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationIntro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationQuick Start Guide: Utilizing Nessus to Secure Microsoft Azure
Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure Introduction Tenable Network Security is the first and only solution to offer security visibility, Azure cloud environment auditing, system
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationSTATE OF ARIZONA Department of Revenue
STATE OF ARIZONA Department of Revenue Douglas A. Ducey Governor September 25, 2015 David Raber Director Debra K. Davenport, CPA Auditor General Office of the Auditor General 2910 North 44 th Street, Suite
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationEffective Threat Management. Building a complete lifecycle to manage enterprise threats.
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
More informationFISMA Compliance: Making the Grade
FISMA Compliance: Making the Grade A Qualys Guide to Measuring Risk, Enforcing Policies, and Complying with Regulations EXECUTIVE SUMMARY For federal managers of information technology, FISMA is one of
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationUnited States Patent and Trademark Office
U.S. DEPARTMENT OF COMMERCE Office of Inspector General United States Patent and Trademark Office FY 2009 FISMA Assessment of the Patent Cooperation Treaty Search Recordation System (PTOC-018-00) Final
More informationManagement (CSM) Capability
CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE
More informationEsri Managed Cloud Services and FedRAMP
Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP
More information2014 Audit of the Board s Information Security Program
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
More informationLumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation
Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation Version 7.0 SP1 Evaluation Guide September 2010 Version 2.4 Copyright 2010, Lumension, Inc. Table of Contents Lumension Endpoint
More informationAudit Report. Management of Naval Reactors' Cyber Security Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Naval Reactors' Cyber Security Program DOE/IG-0884 April 2013 Department of Energy Washington,
More informationGETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008
GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3 May 1, 2008 Copyright 2006-2008 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys,
More informationSecurity Control Standard
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationQualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015
QualysGuard WAS Getting Started Guide Version 4.1 April 24, 2015 Copyright 2011-2015 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationIn Brief. Smithsonian Institution Office of the Inspector General
In Brief Smithsonian Institution Office of the Inspector General Smithsonian Institution Network Infrastructure (SINet) Report Number A-09-01, September 30, 2009 Why We Did This Audit Under the Federal
More informationrating of 5 out 5 stars
SPM User Guide Contents Aegify comprehensive benefits... 2 Security Posture Assessment workflow... 3 Scanner Management... 3 Upload external scan output... 6 Reports - Views... 6 View Individual Security
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationHow to Grow and Transform your Security Program into the Cloud
How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management
More informationIncident Management. Verdis Spearman verdis.spearman@hq.dhs.gov 703.235.5443
Incident Management Verdis Spearman verdis.spearman@hq.dhs.gov 703.235.5443 Agenda Overview Governance Stakeholders Responsibilities Trusted Internet Connection Initiative Incident Response Requirements
More informationOnline Compliance Program for PCI
Appendix F Online Compliance Program for PCI Service Description for PCI Compliance Monitors 1. General Introduction... 3 2. Online Compliance Program... 4 2.1 Introduction... 4 2.2 Portal Access... 4
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationSysPatrol - Server Security Monitor
SysPatrol Server Security Monitor User Manual Version 2.2 Sep 2013 www.flexense.com www.syspatrol.com 1 Product Overview SysPatrol is a server security monitoring solution allowing one to monitor one or
More informationNetwork Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients
Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com
More informationAudit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013
Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,
More informationSecurity Language for IT Acquisition Efforts CIO-IT Security-09-48
Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason
More informationThe Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative
The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative September 2014 Council of the Inspectors General on Integrity and Efficiency Cloud Computing Initiative Executive
More informationState of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard
State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna
More informationDelivering IT Security and Compliance as a Service
Delivering IT Security and Compliance as a Service Jason Falciola GCIH, GAWN Technical Account Manager, Northeast Qualys, Inc. www.qualys.com Agenda Technology Overview h The Problem: Delivering IT Security
More informationFedRAMP Penetration Test Guidance. Version 1.0.1
FedRAMP Penetration Test Guidance Version 1.0.1 July 6, 2015 Revision History Date Version Page(s) Author 06/30/2015 1.0 All First Release FedRAMP PMO 07/06/2015 1.0.1 All Minor corrections and edits FedRAMP
More informationInformation Assurance in the Cloud
Information Assurance in the Cloud The Status of FedRAMP, April 2013 AGA - Montgomery/Prince George s Chapter cliftonlarsonallen.com Session Outline 1. Cloud Services in Federal Government The Opportunity
More informationNessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)
Nessus Enterprise Cloud User Guide October 2, 2014 (Revision 9) Table of Contents Introduction... 3 Nessus Enterprise Cloud... 3 Subscription and Activation... 3 Multi Scanner Support... 4 Customer Scanning
More informationMatriXay Database Vulnerability Scanner V3.0
MatriXay Database Vulnerability Scanner V3.0 (DAS- DBScan) - - - The best database security assessment tool 1. Overview MatriXay Database Vulnerability Scanner (DAS- DBScan) is a professional tool with
More informationDepartment of Homeland Security
Evaluation of DHS Information Security Program for Fiscal Year 2013 OIG-14-09 November 2013 Washington, DC 20528 / www.oig.dhs.gov November 21, 2013 MEMORANDUM FOR: FROM: SUBJECT: Jeffrey Eisensmith Chief
More information211 LA County. Technology Infrastructure Assessment. Request for Proposals. August 2012 Request for Proposals- 211 LA County 1
211 LA County Technology Infrastructure Assessment Request for Proposals August 2012 Request for Proposals- 211 LA County 1 1. General conditions and proposers directions 1.1. Overview 1.1.1. 211 LA County
More informationAHS Flaw Remediation Standard
AGENCY OF HUMAN SERVICES AHS Flaw Remediation Standard Jack Green 10/14/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationDelivering IT Security and Compliance as a Service
Delivering IT Security and Compliance as a Service Matthew Clancy Technical Account Manager Qualys, Inc. www.qualys.com Agenda Technology Overview The Problem: Delivering IT Security & Compliance Key differentiator:
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationNARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014
NARA s Information Security Program OIG Audit Report No. 15-01 October 27, 2014 Table of Contents Executive Summary... 3 Background... 4 Objectives, Scope, Methodology... 7 Audit Results... 8 Appendix
More informationProactive Vulnerability Management Using Rapid7 NeXpose
WHITE PAPER Proactive Vulnerability Management Using Rapid7 NeXpose RAPID7 Corporate Headquarters 545 Boylston Street Boston, MA 02116 617.247.1717 www.rapid7.com Proactive Vulnerability Management Using
More informationElastic Detector on Amazon Web Services (AWS) User Guide v5
Elastic Detector on Amazon Web Services (AWS) User Guide v5 This guide is intended for Elastic Detector users on AWS. Elastic Detector is available as SaaS or deployed as a virtual appliance through an
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationAudit of Security Controls for DHS Information Technology Systems at San Francisco International Airport
Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport May 7, 2015 DHS OIG HIGHLIGHTS Audit of Security Controls for DHS Information Technology Systems
More informationSecunia Corporate Software Inspector (Secunia CSI) ver.5.0
TECHNOLOGY AUDIT Secunia Corporate Software Inspector (Secunia CSI) ver.5.0 Secunia Reference Code: OI00070-107 Publication Date: December 2011 Author: Andy Kellett SUMMARY Catalyst Organizations need
More informationTenable for CyberArk
HOW-TO GUIDE Tenable for CyberArk Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with CyberArk Enterprise Password Vault. Please email any comments
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationNessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)
Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9) Table of Contents Introduction... 3 Nessus Perimeter Service... 3 Subscription and Activation... 3 Multi Scanner Support...
More informationHyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.
HyTrust Product Applicability Guide For Federal Risk and Authorization Management Program (FedRAMP) VMware Compliance Reference Architecture Framework to the VMware Product Applicability Guide For Federal
More informationHow To Manage A Vulnerability Management Program
VULNERABILITY MANAGEMENT A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033 (f) 866.761.7457 www.mindpointgroup.com blog.mindpointgroup.com SBA
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationTRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE
.trust TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE 2007 Table of Contents Introducing Trustwave Vulnerability Management 3 1 Logging In and Accessing Scans 4 1.1 Portal Navigation and Utility Functions...
More informationFY 2007 E GOVERNMENT ACT REPORT FINAL SEPTEMBER 2007
FY 2007 E GOVERNMENT ACT REPORT FINAL SEPTEMBER 2007 1. AGENCY SPECIFIC E GOVERNMENT INITIATIVE: USAID S VULNERABILITY MANAGEMENT PROGRAM CISO SECURITY OBJECTIVE AND VISION The U.S. Agency for International
More informationAn Enterprise Continuous Monitoring Technical Reference Architecture
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
More informationBladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture
BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014 Contents The Configuration Security Compliance
More information9 Free Vulnerability Scanners + 1 Useful GPO Tool
9 Free Vulnerability Scanners + 1 Useful GPO Tool Enjoy these tools to help automate the detection and remediation of vulnerabilities concerning NIST, PCI, HIPAA and many other federal regulatory requirements.
More informationHow To Use Qqsguard At The University Of Minneapolis
Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased
More informationAssessment and Authorization
Assessment and Authorization ProPath Office of Information and Technology Table of Contents Assessment and Authorization Process Maps... 1 Process: Assessment and Authorization... 5 Assessment and Authorization
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More information